Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In Hot Topics

.Bank or .Bust? New Top Level Domain Promises Increased Security (and Plenty of Questions)

iStock_000020616677_Med

Bankers are being encouraged to register their domain names under the new .bank extension, and although there are reasons to consider making the switch, there are also many questions to answer.  Registration is currently open for institutions with a trademarked domain name.  Open registration begins June 23.

First of all, the regulators have not offered an opinion on this yet.  It’s important to note that all of the encouragement is coming from the folks profiting from the registrations…the ABA, Symantec, ICANN, and the multiple registrars (to be determined).  The least expensive registration I’ve seen is around $1,000 per year.  Multiply that by the number of FDIC insured banking institutions* (currently around 6,400) and you get a minimum $6.4M of new revenue each year.  So it’s easy to see why the proponents are excited…but what’s in it for you?  Will the significant increase in effort and expense pay off?

The proponents claim that “.BANK will be a protected, trusted, more secure and easily identifiable space…” on the Internet for banking institutions.  But converting will come at quite a cost to each institution, not just in terms of financial outlay, but time, energy and other resources as well.  And in the end, will the claims of the proponents be realized?

It’s easy to see why the .bank proponents are excited, but will the significant effort and increased expense pay off for institutions?

Let’s examine each claim, starting with “.bank will be more protected“.  It is true that there are multiple safeguards in place to prevent a non-qualifying business from registering a .bank domain.  There are 7 categories of banks and banking organizations that are considered qualified for registration, so consumers can have some level of assurance that xxx.bank is indeed a “qualifying” business.  So theoretically Bob can’t just start up a website called BobsBank.bank unless he is a bank, and in that sense the environment is more protected.



Free White Paper



Best Practices for Control and Management of Your Community Bank’s IT

A community bank’s digital assets are every bit as valuable as the money in the vault.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



A more protected space goes hand-in-hand with another claimed advantage; an “easily identifiable space“.  I’m not sure this is a net advantage though.  Currently, if a bad actor wants to target a bank with malware (ransomware, for example) it has to determine that the website belongs to a bank.  Yes this is trivial, but there is at least some security in obscurity.  A .bank domain makes it crystal clear that the site is a bank, so you should expect an increase in spear-phishing attacks on .bank websites.  Also, having the .bank target on your back might make DDoS attacks more common (and none of the security enhancements will reduce the incidence of DDoS).  So the advantage of being “more protected” comes at a cost.

But the most often touted advantage of the new domains is that they are designed to be “more secure“.  This is definitely a good thing if it can be achieved.  Cybersecurity is a big concern for regulators right now, and anything that might enhance the security of the industry overall will be strongly encouraged.  (Again, regulators have not come out with a position for or against .bank yet.)

Here are the most significant security enhancements, with pluses and minuses for each:

Security Enhancement Stated Advantage Additional Considerations
Mandatory Verification of Charter/Licensure for Regulated Entities More restricted and potentially more protected space. No non-banks posing as banks. Banks will compete for choicest names, may not get domain you request (i.e. an existing .com does not guarantee a .bank with the same name.) Creates an easily identifiable target environment.
Mandatory Re-verification of Registration Data Ensures registrants maintain eligibility. Must remember to re-verify every 2 years or may lose registration.  Additional expense.
Domain Name Security Extensions (DNSSEC) Ensures users that bank website is legit. Most banks already use this feature.
Email Authentication Ensures users that bank email addresses are legit. Most banks already use this feature. Does not prevent spoofed incoming email or phishing.
Multi-Factor Authentication Ensures that only authorized bank personnel make registration changes. Theoretically useful, but most banks already have measures in place to prevent unauthorized registration changes.
Strong Encryption Ensures security of communication originating at the website. Most banks already have strong security measures in place.
Prohibition of Proxy/Privacy Registration Services. Prevents anonymous registrants. Registrant contact information will be readily accessible for all to see. May lead to increase in registrant spear-phishing attacks.
Domains must be hosted on .BANK Nameservers. Ensure all .bank sites adhere to security requirements. Theoretically useful, but may pose a challenge for banks that host separate informational and transactional sites (i.e. if the transactional site is hosted by a Core vendor.)

Finally, whether or not the new domain extension is “more trusted” depends on 2 things;  the rate of adoption among all banks, and whether or not the security advantages are realized.

The jury is still out on the security advantages, but regarding the rate of adoption…

[poll id=”10″]

 

* NCUA insured institutions are apparently out of luck for now, at least until the .CREDITUNION domain becomes available.

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
.bank ABA cybersecurity ICANN

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Looking Ahead to 2021
    A Look Back at 2020 and a Look Ahead to 2021: A Regulatory Compliance Update
  • Ask the Guru – Can We Apply Similar Controls to Satisfy Both GLBA and GDPR
    Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

1 reply added

  1. Wismer June 17, 2015 Log in to Reply

    Nice write up. I can tell you put some thought into it.

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright ©2021 Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+